Privacy Policy

    Last updated: March 10, 2026

    Transcribe Audio ("we", "us", or "our") operates the Transcribe Audio Chrome extension and the transcribe-audio.com website (collectively, the "Service").

    This Privacy Policy explains exactly what data we collect through the Chrome extension and website, how we use it, who we share it with, how we store and protect it, and what choices you have. It applies to all users of the Service.

    Summary of Data Practices

    The table below summarises every category of user data we handle, how we collect it, why we use it, and who receives it.

    Data CategoryHow CollectedPurposeShared With
    Email address, name, profile pictureGoogle OAuth sign-in or email/password registrationAccount creation, login, displaying your name/avatar, service emailsSupabase (auth & database), Resend (transactional email)
    Tab audio streamChrome tabCapture API when you click "Start Transcribing"Real-time speech-to-text transcriptionOpenAI (streamed via WebRTC; not stored by us or OpenAI beyond processing)
    Transcription textGenerated by OpenAI from the audio streamDisplayed to you in the floating overlay; stored for your historySupabase (database storage)
    Usage minutesCounted automatically per transcription sessionEnforce plan limits, billingSupabase (database)
    Payment information (card number, billing address)Entered on Stripe's hosted checkout pageProcess subscription paymentsStripe only — we never receive or store card details
    Stripe customer IDCreated by Stripe at checkoutLink your Stripe subscription to your accountSupabase (stored in your profile record)
    Product analytics eventsAutomatic on extension and website (e.g., "transcription started," "popup opened")Understand usage patterns, improve the ServicePostHog (US-hosted)
    Page-view analyticsAutomatic on website onlyUnderstand website trafficVercel Analytics
    Anonymous analytics identifierRandom UUID generated locally in the extensionLink anonymous events to a user after loginPostHog
    Authentication token (JWT)Issued by Supabase on login, stored in chrome.storage.localKeep you logged in between sessionsNot shared — stored locally on your device only

    Data We Do NOT Collect

    To be explicit, the following data is never collected, stored, or transmitted by the Service:

    • Browsing history: We do not track, record, or transmit the URLs you visit.
    • Page content: We do not read, scrape, or collect the content of any web page.
    • Keystrokes or form data: We do not capture keyboard input or data you type into forms.
    • Background audio: Audio is only captured when you explicitly click "Start Transcribing." There is no background recording.
    • Other tabs or apps: Only the single active tab you choose is captured; no other tabs, windows, or applications are accessed.
    • Health, financial, or government-issued identification data.

    Detailed Data Collection

    Information You Provide

    • Account Information: When you sign in with Google OAuth or create an account with email/password, we receive and store your email address, display name, and profile picture. This data is stored in Supabase.
    • Audio Data: When you click "Start Transcribing," the Chrome extension uses the tabCapture API to capture audio from the active browser tab. This audio is streamed directly from your browser to OpenAI's servers via a peer-to-peer WebRTC connection. The audio is not sent to or stored on our servers.
    • Transcription Text: The text output generated by OpenAI from your audio is displayed in a floating overlay on your screen and may be stored in our database (Supabase) as part of your transcription history.
    • Payment Information: Payment is processed entirely by Stripe on their hosted checkout page. We never receive, see, or store your credit card number, CVV, or billing address. We only store the Stripe customer ID that links your payment to your account.

    Information Collected Automatically

    • Usage Minutes: We track the number of minutes you transcribe each month. This is used to enforce plan limits (e.g., 30 minutes/month on the Free plan) and for billing.
    • Product Analytics Events (PostHog): Both the Chrome extension and website send product usage events to PostHog, such as "transcription started," "transcription stopped," "extension installed," and "popup opened." Each event includes metadata: your login status, subscription plan, extension version, and a device identifier. No audio content, transcription text, browsing history, or page content is ever sent to PostHog.
    • Website Analytics (Vercel Analytics): The website uses Vercel Analytics to collect anonymous page-view data (page URL, referrer, country). No personally identifiable information is collected by Vercel Analytics. The Chrome extension does not use Vercel Analytics.
    • Anonymous Identifier: Before you log in, the Chrome extension generates a random UUID stored in chrome.storage.local on your device. This identifier is sent to PostHog with analytics events. When you log in, PostHog links this anonymous ID to your authenticated user ID. This allows us to understand the user journey from install to signup.
    • Authentication Token: A JWT session token issued by Supabase is stored in chrome.storage.local on your device to keep you logged in. This token is sent only to Supabase (for authentication) and to our Edge Functions (to verify your identity). It is never shared with any other third party.

    How We Use Your Data

    We use collected data for the following specific purposes:

    • Provide transcription: Stream your tab audio to OpenAI, receive the transcript, and display it to you.
    • Manage your account: Create your profile, authenticate you, and display your name and avatar.
    • Enforce plan limits: Track transcription minutes to enforce monthly limits per your subscription plan.
    • Process payments: Coordinate with Stripe to manage your subscription and billing.
    • Send service emails: Send a welcome email when you sign up and notify you of important account changes (via Resend).
    • Improve the Service: Analyse aggregated analytics data to understand usage patterns, identify bugs, and prioritise features.
    • Provide support: Use your email to respond to support requests you initiate.

    We do not use your data for advertising, ad targeting, or profiling. We do not sell, rent, or trade your data to any third party.

    Who We Share Data With

    We share user data only with the third-party service providers listed below, and only to the extent necessary for them to perform their specific function. We do not sell or share data with data brokers, advertisers, or any other parties.

    • OpenAI (San Francisco, CA, USA) — Receives tab audio streamed directly from your browser via WebRTC for real-time transcription. OpenAI processes the audio and returns text. Per OpenAI's API data usage policy, data sent through the API is not used to train their models. We do not send any other user data to OpenAI.
    • Supabase (AWS, US regions) — Stores your account profile (email, name, profile picture), subscription status, usage minutes, and transcription history. Also handles authentication (issuing and verifying JWT tokens). Supabase uses Row Level Security so each user can only access their own data.
    • Stripe (USA) — Processes all payment transactions. Stripe receives your payment card details directly on their hosted checkout page (PCI DSS Level 1 compliant). We only receive a Stripe customer ID and subscription status — never your card number or billing address.
    • PostHog (USA) — Receives product analytics events from both the Chrome extension and website. Events contain: event name, timestamp, login status, subscription plan, extension version, and a user identifier. PostHog does not receive audio, transcription text, browsing history, or page content.
    • Vercel Analytics (USA) — Receives anonymous page-view data from the website only (not the Chrome extension). Data includes page URL, referrer, and country. No personally identifiable information is sent to Vercel.
    • Resend (USA) — Receives your email address to deliver transactional emails (welcome email, service notifications). Resend does not receive any other user data.
    • Google — Provides OAuth authentication. When you sign in with Google, Google shares your email, name, and profile picture with us. We do not share any data back with Google beyond the standard OAuth flow.

    We may also disclose data:

    • Legal requirements: When required by law, regulation, or valid legal process.
    • Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.

    Chrome Extension: Permissions, Data Handling, and Justification

    Our Chrome extension requests the minimum permissions necessary to provide real-time audio transcription. Below is every permission, why it is needed, and exactly what data it accesses.

    Permissions and Justification

    • tabCapture — Captures the audio output of the active browser tab when you click "Start Transcribing." This is the core functionality of the extension. Audio capture only occurs after your explicit action and stops when you click "Stop" or close the tab. No audio is captured in the background.
    • offscreen — Creates an offscreen document to establish a WebRTC connection with OpenAI's Realtime API. The offscreen document receives the captured audio stream and forwards it to OpenAI for transcription. This is required because WebRTC connections cannot be created from the background service worker.
    • storage — Stores two items locally on your device: (1) your authentication token (JWT) so you stay logged in between browser sessions, and (2) a random anonymous analytics identifier (UUID). Both are stored in chrome.storage.local and are never transmitted to third parties (the JWT is sent only to Supabase for authentication).
    • activeTab — Identifies which browser tab to capture audio from when you initiate transcription. This permission is scoped to the currently active tab only and does not grant access to other tabs.

    Host Permission: *.supabase.co

    The extension communicates with our Supabase backend (jlbhthexkazobdxtzfxa.supabase.co) to:

    • Verify your authentication status and subscription plan.
    • Request ephemeral OpenAI session keys for transcription.
    • Report usage minutes after each transcription session.

    No other external hosts are contacted by the extension except OpenAI (api.openai.com) for the WebRTC transcription connection and PostHog (us.i.posthog.com) for analytics events.

    Content Script

    A content script is injected into web pages to render the floating transcription overlay (the text window that displays real-time captions). The content script:

    • Does inject a floating UI element (div) on the page where you are transcribing.
    • Does listen for messages from the background script to display transcription text and handle start/stop controls.
    • Does NOT read, access, modify, or collect any content from the web page.
    • Does NOT access the DOM of the host page beyond injecting its own overlay element.
    • Does NOT capture or transmit the URL of the page.

    How Audio Data Flows

    1. You click "Start Transcribing" in the extension popup.
    2. The background script requests an ephemeral OpenAI session key from our Supabase Edge Function (authenticated with your JWT).
    3. The background script captures audio from the active tab using tabCapture.
    4. An offscreen document establishes a WebRTC peer-to-peer connection directly to OpenAI's Realtime API.
    5. Audio streams from your browser directly to OpenAI — it does not pass through our servers.
    6. OpenAI returns transcription text, which is forwarded to the content script for display in the floating overlay.
    7. When you stop, the WebRTC connection closes, audio capture stops, and usage minutes are reported to our backend.

    Google Chrome Web Store Limited Use Disclosure

    Our use of information received from Chrome browser APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements:

    • Allowed use: We use Chrome API data (tab audio capture, storage, active tab identification) solely to provide the user-facing transcription functionality described in our Chrome Web Store listing, and to improve that functionality.
    • Allowed transfers: We transfer Chrome API data to third parties only as necessary to provide the transcription service (audio to OpenAI for speech-to-text processing), to comply with applicable laws, or as part of a merger, acquisition, or sale of assets with user notice.
    • No advertising: We do not use or transfer Chrome API data to serve advertisements, including retargeting, personalised, or interest-based advertising.
    • No sale of data: We do not sell Chrome API data or any other user data to any third party.
    • Restricted human access: No human reads your audio data or transcription content unless (a) you provide explicit, affirmative consent (e.g., sharing a transcript for customer support), (b) it is necessary for security purposes (investigating abuse), (c) it is required to comply with applicable law, or (d) the data is aggregated and anonymised and used only for internal operations.

    Data Security

    We implement the following security measures to protect your data:

    • Encryption in transit: All data transmitted between your browser, our backend (Supabase Edge Functions), and third-party services uses HTTPS/TLS encryption. The WebRTC connection to OpenAI uses DTLS/SRTP encryption.
    • Encryption at rest: Data stored in Supabase is encrypted at rest using AES-256, provided by AWS infrastructure.
    • Row Level Security: Our database enforces Row Level Security (RLS) policies, ensuring each user can only read and modify their own data.
    • Minimal data collection: We only collect data that is necessary to provide and improve the transcription service.
    • No local server storage of audio: Audio is never sent to or stored on our servers — it streams directly from your browser to OpenAI via WebRTC.
    • Ephemeral API keys: OpenAI session keys are single-use, short-lived, and scoped to one transcription session.

    While we use commercially reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

    Data Retention

    We retain your data for the following periods:

    • Account data (email, name, profile picture): Retained until you request account deletion.
    • Transcription history: Retained until you delete individual transcriptions or your account.
    • Usage data (minutes transcribed): Retained for 12 months for billing and subscription management; reset monthly per your billing cycle.
    • Analytics data (PostHog): Retained by PostHog per their data retention policies. We do not control PostHog's retention period.
    • Analytics data (Vercel): Retained by Vercel per their data retention policies.
    • Audio data: Not retained. Audio is streamed in real-time to OpenAI and is not stored by us or by OpenAI beyond the duration of processing.
    • Payment data: Stripe retains payment records per their policies and legal requirements. We only retain the Stripe customer ID.
    • Local extension data (JWT, anonymous ID): Stored on your device until you log out, uninstall the extension, or clear Chrome storage.

    Your Data Protection Rights

    Regardless of where you are located, you have the following rights regarding your personal data:

    • Access: Request a copy of the personal data we hold about you.
    • Correction: Request correction of inaccurate or incomplete data.
    • Deletion: Request deletion of your account and all associated data. We will delete your data from Supabase and notify third-party processors (Stripe, PostHog) to the extent possible.
    • Data portability: Request your transcription history exported in a portable format.
    • Withdraw consent: Withdraw consent for data processing at any time by contacting us or by uninstalling the extension.
    • Opt out of analytics: Uninstall the Chrome extension to stop all extension analytics. Website analytics can be blocked using standard browser ad-blocking tools.

    To exercise any of these rights, contact us at support@transcribe-audio.com. We will respond to all privacy-related inquiries within 30 days.

    Children's Privacy

    Our Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13 without parental consent, we will delete that data promptly. If you believe a child under 13 has provided us with personal data, please contact us at support@transcribe-audio.com.

    Links to Other Sites

    Our Service may contain links to other sites not operated by us (e.g., Stripe checkout, Chrome Web Store). We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content or privacy practices of third-party sites.

    Changes to This Privacy Policy

    We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date at the top. For significant changes, we may also notify you by email. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

    Contact Us

    If you have any questions or concerns about this Privacy Policy, your data, or our privacy practices, please contact us at:

    We will respond to all privacy-related inquiries within 30 days.